@blocklet/xss 0.1.26 → 0.1.27

package/cjs/index.d.ts

@@ -4,5 +4,10 @@ export declare function xss(options?: SanitizeOptions): (req: any, res: any, nex
 declare const _default: {
     xss: typeof xss;
     initSanitize: (_options?: SanitizeOptions) => any;
+    isSvgFile: (svgContent: string, file?: {
+        name?: string;
+        type?: string;
+    }) => boolean;
+    sanitizeSvg: (svgContent: string) => string;
 };
 export default _default;

package/cjs/index.js

@@ -33,5 +33,7 @@ function xss(options = {}) {
 }
 module.exports = {
   xss,
-  initSanitize: _utils.initSanitize
+  initSanitize: _utils.initSanitize,
+  isSvgFile: _utils.isSvgFile,
+  sanitizeSvg: _utils.sanitizeSvg
 };

package/cjs/utils.d.ts

@@ -1,2 +1,7 @@
 import { SanitizeOptions } from './types';
 export declare const initSanitize: (_options?: SanitizeOptions) => any;
+export declare const sanitizeSvg: (svgContent: string) => string;
+export declare const isSvgFile: (svgContent: string, file?: {
+    name?: string;
+    type?: string;
+}) => boolean;

package/cjs/utils.js

@@ -3,9 +3,10 @@
 Object.defineProperty(exports, "__esModule", {
   value: true
 });
-exports.initSanitize = void 0;
+exports.sanitizeSvg = exports.isSvgFile = exports.initSanitize = void 0;
 var xss = _interopRequireWildcard(require("xss"));
 var _omit = _interopRequireDefault(require("lodash/omit"));
+var _path = _interopRequireDefault(require("path"));
 function _interopRequireDefault(e) { return e && e.__esModule ? e : { default: e }; }
 function _getRequireWildcardCache(e) { if ("function" != typeof WeakMap) return null; var r = new WeakMap(), t = new WeakMap(); return (_getRequireWildcardCache = function (e) { return e ? t : r; })(e); }
 function _interopRequireWildcard(e, r) { if (!r && e && e.__esModule) return e; if (null === e || "object" != typeof e && "function" != typeof e) return { default: e }; var t = _getRequireWildcardCache(r); if (t && t.has(e)) return t.get(e); var n = { __proto__: null }, a = Object.defineProperty && Object.getOwnPropertyDescriptor; for (var u in e) if ("default" !== u && {}.hasOwnProperty.call(e, u)) { var i = a ? Object.getOwnPropertyDescriptor(e, u) : null; i && (i.get || i.set) ? Object.defineProperty(n, u, i) : n[u] = e[u]; } return n.default = e, t && t.set(e, n), n; }
@@ -64,4 +65,84 @@ const initSanitize = (_options = {}) => {
   };
   return sanitize;
 };
-exports.initSanitize = initSanitize;
+exports.initSanitize = initSanitize;
+const svgWhiteList = {
+  svg: ["width", "height", "viewBox", "xmlns", "version", "preserveAspectRatio", "xml:space"],
+  circle: ["cx", "cy", "r", "fill", "stroke", "stroke-width", "fill-opacity", "stroke-opacity"],
+  ellipse: ["cx", "cy", "rx", "ry", "fill", "stroke", "stroke-width"],
+  line: ["x1", "y1", "x2", "y2", "stroke", "stroke-width"],
+  path: ["d", "fill", "stroke", "stroke-width", "fill-rule", "stroke-linecap", "stroke-linejoin"],
+  polygon: ["points", "fill", "stroke", "stroke-width"],
+  polyline: ["points", "fill", "stroke", "stroke-width"],
+  rect: ["x", "y", "width", "height", "rx", "ry", "fill", "stroke", "stroke-width"],
+  g: ["transform", "fill", "stroke"],
+  text: ["x", "y", "font-size", "font-family", "text-anchor", "fill"],
+  defs: [],
+  clipPath: ["id"],
+  mask: ["id"],
+  use: ["x", "y", "width", "height"],
+  linearGradient: ["id", "x1", "y1", "x2", "y2", "gradientUnits"],
+  radialGradient: ["id", "cx", "cy", "r", "fx", "fy", "gradientUnits"],
+  stop: ["offset", "stop-color", "stop-opacity"],
+  pattern: ["id", "width", "height", "patternUnits", "patternTransform"]
+};
+const svgSanitizeOptions = {
+  whiteList: svgWhiteList,
+  stripIgnoreTagBody: ["script", "style"],
+  onIgnoreTag: function (tag, html, options) {
+    return "";
+  },
+  onIgnoreTagAttr: function (tag, name, value, isWhiteAttr) {
+    if (name.startsWith("on") || name === "href" || name === "xlink:href") {
+      return "";
+    }
+    if (name === "style") {
+      const safeValue = value.replace(/expression\(.*\)|javascript:|data:|@import|behavior|binding|moz-binding/gi, "");
+      if (safeValue !== value) {
+        return "";
+      }
+      return `${name}="${safeValue}"`;
+    }
+    if (tag === "use" && (name === "href" || name === "xlink:href")) {
+      if (value.startsWith("#") && !/[<>"']/.test(value)) {
+        return `${name}="${value}"`;
+      }
+      return "";
+    }
+    if (name === "id" || name === "class") {
+      return `${name}="${value}"`;
+    }
+  }
+};
+const sanitizeSvg = svgContent => {
+  const isSvg = isSvgFile(svgContent);
+  if (!isSvg) {
+    throw new Error("Invalid SVG content");
+  }
+  const xssInstance = new xss.FilterXSS(svgSanitizeOptions);
+  return xssInstance.process(svgContent);
+};
+exports.sanitizeSvg = sanitizeSvg;
+const isSvgFile = (svgContent, file) => {
+  if (typeof svgContent !== "string") {
+    return false;
+  }
+  const svgRegex = /<svg[^>]*?(?:>|\/>)|<\?xml[^>]*>\s*<svg[^>]*?(?:>|\/?>)/i;
+  const isSvg = svgRegex.test(svgContent);
+  if (!isSvg) {
+    return false;
+  }
+  if (file?.name) {
+    const ext = _path.default.extname(file.name).toLowerCase();
+    if (ext !== ".svg") {
+      return false;
+    }
+  }
+  if (file?.type) {
+    if (!file.type.toLowerCase().includes("image/svg")) {
+      return false;
+    }
+  }
+  return true;
+};
+exports.isSvgFile = isSvgFile;

package/es/index.d.ts

@@ -4,5 +4,10 @@ export declare function xss(options?: SanitizeOptions): (req: any, res: any, nex
 declare const _default: {
     xss: typeof xss;
     initSanitize: (_options?: SanitizeOptions) => any;
+    isSvgFile: (svgContent: string, file?: {
+        name?: string;
+        type?: string;
+    }) => boolean;
+    sanitizeSvg: (svgContent: string) => string;
 };
 export default _default;

package/es/index.js

@@ -1,4 +1,4 @@
-import { initSanitize } from "./utils.js";
+import { initSanitize, isSvgFile, sanitizeSvg } from "./utils.js";
 export * from "./utils.js";
 export function xss(options = {}) {
   const sanitize = initSanitize(options);
@@ -13,5 +13,7 @@ export function xss(options = {}) {
 }
 export default {
   xss,
-  initSanitize
+  initSanitize,
+  isSvgFile,
+  sanitizeSvg
 };

package/es/utils.d.ts

@@ -1,2 +1,7 @@
 import { SanitizeOptions } from './types';
 export declare const initSanitize: (_options?: SanitizeOptions) => any;
+export declare const sanitizeSvg: (svgContent: string) => string;
+export declare const isSvgFile: (svgContent: string, file?: {
+    name?: string;
+    type?: string;
+}) => boolean;

package/es/utils.js

@@ -1,5 +1,6 @@
 import * as xss from "xss";
 import omit from "lodash/omit";
+import path from "path";
 const ignoreTagList = [
   // here is a blacklist
   "script",
@@ -79,3 +80,81 @@ export const initSanitize = (_options = {}) => {
   };
   return sanitize;
 };
+const svgWhiteList = {
+  svg: ["width", "height", "viewBox", "xmlns", "version", "preserveAspectRatio", "xml:space"],
+  circle: ["cx", "cy", "r", "fill", "stroke", "stroke-width", "fill-opacity", "stroke-opacity"],
+  ellipse: ["cx", "cy", "rx", "ry", "fill", "stroke", "stroke-width"],
+  line: ["x1", "y1", "x2", "y2", "stroke", "stroke-width"],
+  path: ["d", "fill", "stroke", "stroke-width", "fill-rule", "stroke-linecap", "stroke-linejoin"],
+  polygon: ["points", "fill", "stroke", "stroke-width"],
+  polyline: ["points", "fill", "stroke", "stroke-width"],
+  rect: ["x", "y", "width", "height", "rx", "ry", "fill", "stroke", "stroke-width"],
+  g: ["transform", "fill", "stroke"],
+  text: ["x", "y", "font-size", "font-family", "text-anchor", "fill"],
+  defs: [],
+  clipPath: ["id"],
+  mask: ["id"],
+  use: ["x", "y", "width", "height"],
+  linearGradient: ["id", "x1", "y1", "x2", "y2", "gradientUnits"],
+  radialGradient: ["id", "cx", "cy", "r", "fx", "fy", "gradientUnits"],
+  stop: ["offset", "stop-color", "stop-opacity"],
+  pattern: ["id", "width", "height", "patternUnits", "patternTransform"]
+};
+const svgSanitizeOptions = {
+  whiteList: svgWhiteList,
+  stripIgnoreTagBody: ["script", "style"],
+  onIgnoreTag: function(tag, html, options) {
+    return "";
+  },
+  onIgnoreTagAttr: function(tag, name, value, isWhiteAttr) {
+    if (name.startsWith("on") || name === "href" || name === "xlink:href") {
+      return "";
+    }
+    if (name === "style") {
+      const safeValue = value.replace(/expression\(.*\)|javascript:|data:|@import|behavior|binding|moz-binding/gi, "");
+      if (safeValue !== value) {
+        return "";
+      }
+      return `${name}="${safeValue}"`;
+    }
+    if (tag === "use" && (name === "href" || name === "xlink:href")) {
+      if (value.startsWith("#") && !/[<>"']/.test(value)) {
+        return `${name}="${value}"`;
+      }
+      return "";
+    }
+    if (name === "id" || name === "class") {
+      return `${name}="${value}"`;
+    }
+  }
+};
+export const sanitizeSvg = (svgContent) => {
+  const isSvg = isSvgFile(svgContent);
+  if (!isSvg) {
+    throw new Error("Invalid SVG content");
+  }
+  const xssInstance = new xss.FilterXSS(svgSanitizeOptions);
+  return xssInstance.process(svgContent);
+};
+export const isSvgFile = (svgContent, file) => {
+  if (typeof svgContent !== "string") {
+    return false;
+  }
+  const svgRegex = /<svg[^>]*?(?:>|\/>)|<\?xml[^>]*>\s*<svg[^>]*?(?:>|\/?>)/i;
+  const isSvg = svgRegex.test(svgContent);
+  if (!isSvg) {
+    return false;
+  }
+  if (file?.name) {
+    const ext = path.extname(file.name).toLowerCase();
+    if (ext !== ".svg") {
+      return false;
+    }
+  }
+  if (file?.type) {
+    if (!file.type.toLowerCase().includes("image/svg")) {
+      return false;
+    }
+  }
+  return true;
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blocklet/xss",
-  "version": "0.1.26",
+  "version": "0.1.27",
   "description": "blocklet prevent xss attack",
   "publishConfig": {
     "access": "public"